From 19561a1dfd111b7b2dd941ac2ca0d46ee5ce16f6 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 4 Jun 2019 15:56:15 +0200 Subject: tunnel: retain SeLoadDriverPrivilege This is a big loss. We'll need to revisit this. Signed-off-by: Jason A. Donenfeld --- attacksurface.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'attacksurface.md') diff --git a/attacksurface.md b/attacksurface.md index 7e1906b0..7b1f16ae 100644 --- a/attacksurface.md +++ b/attacksurface.md @@ -19,7 +19,7 @@ The tunnel service is a userspace service running as Local System, responsible f - A listening pipe in `\\.\pipe\WireGuard\%s`, where `%s` is some basename of an already valid filename. Its permissions are set to `O:SYD:(A;;GA;;;SY)`, which presumably means only the "Local System" user can access it and do things, but it might be worth double checking that. This pipe gives access to private keys and allows for reconfiguration of the interface, as well as rebinding to different ports (below 1024, even). - It handles data from its two UDP sockets, accessible to the public Internet. - It handles data from Wintun, accessible to all users who can do anything with the network stack. - - After some initial setup, it uses `AdjustTokenPrivileges` to remove all privileges. + - After some initial setup, it uses `AdjustTokenPrivileges` to remove all privileges, except for `SeLoadDriverPrivilege`, so that it can remove the interface when shutting down. This latter point is rather unfortunate, as `SeLoadDriverPrivilege` can be used for all sorts of interesting escalation. Future work includes forking an additional process or the like so that we can drop this from the main tunnel process. ### Manager Service -- cgit v1.2.3-59-g8ed1b